Section 17.03(2)(f)(2) of the Law mandates that entities holding Massachusetts' residents' personal information require their third-party service providers to contractually commit to implementing and maintaining security measures for personal information. The Law defines a service provider as

"any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to [the Massachusetts] regulation."

Companies subject to the Law should validate that any agreements with service providers that fall within this definition address the Massachusetts requirements, and any gaps in contract language should be immediately corrected.

As a matter of good information security practice, contracts with service providers should also include: (i) security audit rights, (ii) terms requiring that the service provider immediately notify the contracting partner of any data breach, and (iii) language requiring that all personal information be returned or destroyed upon the termination of the contract.
For additional background on the Massachusetts Data Protection Law see here.

About Us

Pillsbury Global Sourcing advises buyers on all aspects of outsourcing and complex technology acquisitions. We have architected and negotiated deals worth over a half a trillion dollars on behalf of Fortune 500 clients. Blog content taps the insight of our people based in London, New York, Austin, San Francisco, and Washington, DC.